Are WhatsApp and GDPR on a Collision Course?

  • 27 Feb 2018

WhatsApp is a much-loved messaging app, with a billion users worldwide. While it’s great for group chats, free texts and voice calls and sharing photos and videos, WhatsApp is not suitable for a professional setting and could land you with a nasty fine from the Information Commissioner’s Office.

Although WhatsApp may seem like a cheap and cheerful option when it comes to workplace instant messaging, there are a number of reasons why it is not acceptable for professional use. With GDPR coming into effect in May, WhatsApp’s storage of user data is in violation of EU data protection law, regardless of Brexit. Despite plans to launch new apps for businesses, WhatsApp simply isn’t fit for purpose and could mean that your organisation fails to comply with GDPR, leaving you liable for charges of up to 4% of your global turnover.

GDPR & Data Protection

The biggest concern is how WhatsApp uses our contact lists. When you install the app, you give it permission to access all of the contacts on your device. This could be on a company supplied  mobile or the user’s own device. Either way, you are exposing the data of all of your personal and professional contacts without their permission. Security expert Matt Zweerink managed to exploit this to make a bot (with relative ease) that could access any WhatsApp user’s online/offline status, and more.

According to the new GDPR rules, companies are liable for the protection of clients’ and staff data, ruling out WhatsApp for use as a business communication platform for a number of reasons, including:

  1. Under GDPR, businesses are required to be able to audit who has access to what data. On WhatsApp, data, files and messages can be shared limitlessly without leaving a paper trail detailing who can see your files. On top of this, WhatsApp records data and archives it on its own servers – making it impossible to be GDPR compliant if your company uses it.
  2. Organisations must now keep a record of permissions from people whose data you store(which is violated by WhatsApp’s automatic use of your contact list).
  3. Data needs to be disposed of securely if a client wants to exercise their “right to be forgotten,” but WhatsApp archives everything on their servers, taking it out of your control. Anyone could also export all of the contacts they have access to onto their desktop, easily lifting personal data of employees out of your protection.
  4. You need to be able to ensure the protection of client data, even outside of the EU. WhatsApp are refusing to comply with France and Germany’s request for data samples as they feel that they are only beholden unto US laws on data protection, so they appear to have no qualms about not complying with GDPR. US privacy laws are weaker than the ones set out by the EU, which leaves your EU/UK based organisation non-GDPR compliant if you use WhatsApp.

For doctors and healthcare professionals this is extremely problematic. A British Medical Journal study found that over a third of doctors send sensitive patient data via web-messaging apps like WhatsApp, despite warnings from the NHS that this is not a secure enough way to handle clinical information. This leaves data highly vulnerable to human error or deliberate malpractice.

Although WhatsApp does boast end-to-end encryption, its security is far from watertight. Not only has it become a target of the seemingly inevitable cyber attacks, it is also owned by Facebook – a company that is notorious for its opaque use of user data. In fact, WhatsApp may be fined by French data protection authority CNIL for sharing data with Facebook.

Data protection is obviously a serious issue, and WhatsApp should be unequivocally ruled out for business use if you want to avoid GDPR fines. But that is not the only issue that makes WhatsApp unfit for professional use.

The Flood of Messages

Important information can get lost in the stream of messages in a large group chat. Anyone who has tried to scroll back and find the time and location of a planned evening activity in a group chat after a mere half hour discussion about what everyone plans to wear will know how quickly important information can get buried.

A study of NGO doctors in India using WhatsApp showed that, although WhatsApp provided a vital channel for the doctors to keep in touch with each other during a humanitarian effort, the topic of conversation changed frequently with no clear categorisation, making it difficult to find the relevant instruction on where to send vital supplies. There are plenty of purpose-built platforms that allow you to categorise your chats by subject into logical channels if you feel that email is not suitable, like Slack.

The same study of NGO doctors found that it also became difficult to use the WhatsApp chat-log for post-emergency analysis due to the vast amount of uncategorised messages. Best practice for business continuity involves taking an audit after an incident of who sent and received messages, how quickly everyone responded etc, which the WhatsApp chat-log stream of consciousness makes a near impossible task. For legal reasons it is also important for an organisation to have a record of employees’ messages, not to mention the usefulness of having past messages on hand if an employee leaves the organisation.

Mixing Business and Leisure

WhatsApp is primarily a private messaging app for keeping in touch with friends and family. Having your friends’ chat right next to your boss’s/employees’ could be… risky. Even on a work phone with no personal contacts, using a platform that is also used to send GIFs from Spongebob Squarepants is a jarring conflict of tone.

Using a private platform also blends work communication and home communication, something that many employees would rather avoid in the name of work/home separation. Keeping work data – especially sensitive data – on work servers where a Data Protection Officer can access it is a far more prudent approach.

Normalising the use of WhatsApp for work purposes also complicates communications by creating a distraction from the appropriate channels – such as Slack or Outlook. If one department is looking for updates on a situation via email but another is making enquiries via WhatsApp, then wires are bound to get crossed.

WhatsApp in a Crisis

WhatsApp provides a communication channel outside of company supervision which, although great for planning to go to the pub after work, can prevent managers from being able to control the message during a crisis. Having a consistent social media message is vital for PR, but if one member of staff has already forwarded your message to their friend who happens to be a journalist, then it’s out of your hands.

Reliance on internet connection, messy group communication rather than clear instructions from one trusted source and the inability to control access to any emergency documents you send (or ensure that they don’t get lost in the sea of messages) all mean that, even if WhatsApp was GDPR compliant, it still wouldn’t be a good choice as part of an emergency plan.

We love WhatsApp. I personally use it everyday. But it simply isn’t designed for business, and organisations must have a purpose-build system in place to keep their data safe if they don’t want to fall foul of GDPR.

Find out more at or contact us on Twitter @YUDUSentinel.

More on